Joe DeBlasio

My interests are widespread across security and privacy, but I'm
particularly interested in the WebPKI and practical security and privacy
improvements. My graduate work focused on security/privacy measurement with
a special focus on fraud and abuse.

Publications

While phishing detection, risk analysis, and two-factor authentication help
stem large-scale hijackings, targeted attacks remain a potent threat not fully
addressed by current account protections. "Hack for hire" services make
targeted attacks against anyone available for a few hundred dollars. Posing as
buyers, we hired several of these services to attack synthetic (though
realistic) identities we controlled. We categorize their methods and the state
of the market in general.

Though users increasingly rely on commercial VPN services to preserve online
privacy, circumvent censorship, and access geo-filtered content, they lack
a strong method for evaluating the privacy and security claims made by VPN
providers. We designed an active
measurement system to test many of security and privacy properties, analyzed
62 commercial providers and find deceptive practices in at least 10\% of the
providers studied.

Tripwire is a method for detecting website compromises as an
unprivileged third-party using externally-visible side effects. Our
proof-of-concept implementation exposed previously-unknown compromises
impacting more than 100 million users.

This work explored search advertiser fraud on Microsoft's Bing search engine,
characterizing the scale of fraud, the targeting and bidding behavior of
fraudsters, and how those fraudsters impact legitimate advertisers in the
ecosystem.

Teaching

I co-designed and taught CSE 80, covering
essential Linux/UNIX command line skills for all computer scientists and
software engineers. The course is highly interactive, taking place entirely at a
traditional Bash command prompt.